5 Invoking gss

Name

Description

gss is the main program of GNU GSS.

Mandatory or optional arguments to long options are also mandatory or
optional for any corresponding short options.

Commands

gss recognizes these commands:

-l, --list-mechanisms
List information about supported mechanisms
in a human readable format.
-m, --major=LONG Describe a `major status' error code value.
-a, --accept-sec-context
Accept a security context as server.
-i, --init-sec-context=MECH
Initialize a security context as client.
MECH is the SASL name of mechanism, use -l
to list supported mechanisms.
-n, --server-name=SERVICE@HOSTNAME
For -i, set the name of the remote host.
For example, "imap@mail.example.com".

To initialize a Kerberos V5 security context, use the
--init-sec-context parameter. Kerberos V5 needs to know the name
of the remote entity, so you need to supply the --server-name
parameter as well. That will provide the name of the server. For
example, use imap@mail.example.com to setup a security context
with the imap service on the host mail.example.com. The
Kerberos V5 client will use your ticket-granting ticket (which needs to
be available) and acquire a server ticket for the service. The KDC must
know about the server for this to work. The tool will print the GSS-API
context tokens base64 encoded on standard output.

The tool is waiting for the final Kerberos V5 context token from the
server. Note the status text informing you that message protection is
available.

To accept a Kerberos V5 context, the process is similar. The server
needs to know its name, so that it can find the host key from
(typically) /etc/shishi/shishi.keys. Once started it will wait
for a context token from the client. Below we’ll paste in the token
printed above.